Suspicious Installer Package Child Process
Detects the execution of suspicious child processes from macOS installer package parent process. This includes osascript, JXA, curl and wget amongst other interpreters
Sigma rule (View on GitHub)
1title: Suspicious Installer Package Child Process
2id: e0cfaecd-602d-41af-988d-f6ccebb2af26
3status: test
4description: Detects the execution of suspicious child processes from macOS installer package parent process. This includes osascript, JXA, curl and wget amongst other interpreters
5references:
6 - https://redcanary.com/blog/clipping-silver-sparrows-wings/
7 - https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/execution_installer_package_spawned_network_event.toml
8author: Sohan G (D4rkCiph3r)
9date: 2023/02/18
10tags:
11 - attack.t1059
12 - attack.t1059.007
13 - attack.t1071
14 - attack.t1071.001
15 - attack.execution
16 - attack.command_and_control
17logsource:
18 category: process_creation
19 product: macos
20detection:
21 selection_installer:
22 ParentImage|endswith:
23 - '/package_script_service'
24 - '/installer'
25 Image|endswith:
26 - '/sh'
27 - '/bash'
28 - '/dash'
29 - '/python'
30 - '/ruby'
31 - '/perl'
32 - '/php'
33 - '/javascript'
34 - '/osascript'
35 - '/tclsh'
36 - '/curl'
37 - '/wget'
38 CommandLine|contains:
39 - 'preinstall'
40 - 'postinstall'
41 condition: selection_installer
42falsepositives:
43 - Legitimate software uses the scripts (preinstall, postinstall)
44level: medium
References
-
Silver Sparrow includes a binary compiled to run on Apple’s new M1 chips but lacks one very important feature: a payload
Read More -
Related rules
- DarkGate - Autoit3.EXE File Creation By Uncommon Process
- Autoit3.exe Executable File Creation Matching DarkGate Behavior
- Potential In-Memory Download And Compile Of Payloads
- HackTool - Sliver C2 Implant Activity Pattern
- PUA - Wsudo Suspicious Execution